Secretive information about critical security bugs in popular Microsoft products – including the Windows operating system (OS) – was compromised by hackers back in 2013. However, the US technology giant chose not to tell its customers about the full scope of the attack.
That's according to five former Microsoft employees, who each spoke separately to Reuters about the previously unknown incident. They said cybercriminals accessed a database that was used to track flaws in its software and likely gleaned insight into unfixed vulnerabilities.
But post-analysis, Microsoft believed that no customers were put at risk by the loss of data. As a result, officials decided not to tell the public about the breach.
The five insiders, who remain anonymous, said that the Microsoft patch-tracking database was protected with little more than a single password.
They said an investigation was launched to find out if the flaws were exploited in other breaches in 2013.
Reuters reported that the probe found that bugs were indeed used in other hacks, but concluded the culprits may have obtained such code from other sources.
Patches were rolled out to customers within the space of a month, the ex-staffers said, adding that two-factor authentication was also added to the database's login.
Back in 2013, the firm acknowledged a single "security intrusion" on its systems but did not elaborate. It later emerged the infiltration was work of an elusive group known as "Wild Neutron" – also responsible for successfully hacking computers at Facebook and Apple.
"Microsoft can confirm that we also recently experienced a similar security intrusion," wrote Matt Thomlinson, general manager at Microsoft in a brief statement at the time. "We have no evidence of customer data being affected and our investigation is ongoing," he added.
Eric Rosenbach, former deputy assistant secretary of defence for cyber at the US Department of Defense (DoD), told Reuters that the stolen Microsoft bug information could have provided attackers with "a skeleton key for hundreds of millions of computers around the world".
There is no suggestion of legal wrongdoing, and some experts believe that not speaking out was in the best interests of Microsoft's customers. Over the years, as cyberattacks have become more prevalent, many firms have changed to adopt greater transparency.
"It could be argued that an alleged breach of its vulnerability database is news worth sharing, though I suspect keeping a lid on it was probably a better option than telling the hacking community it could be open season for them," said Comparitech security expert Lee Munson.
"Wild Neutron" – also known as Morpho and Butterfly – was able to penetrate computers of several Silicon Valley employees before moving into wider company networks.
In 2015, in an analysis of the hacking group, Kaspersky Lab found it was operating in 11 countries around the world – including Russia, Germany, Palestine and the US.
"Wild Neutron is a skilled and quite versatile group," said Costin Raiu, director of the global research and analysis team at Moscow-based Kaspersky Lab. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X.
"Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile," he added.
It's rare for hackers to break into such a valuable target and there is only one other known instance of similar corporate data leaking into the hands of cybercriminals. Two years ago, an attacker infiltrated Mozilla and stole data on 10 severe and unpatched security flaws.
Unlike Microsoft Mozilla went on to release a full analysis of the hack, Reuters noted.
In a statement, a Microsoft spokesperson said: "Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected."